On Sun, 10 Jun 2001 [EMAIL PROTECTED] wrote:
> Egress filtering at border points is appropriate for leaf networks.
Which is exactly what I'm proposing.
> Many ISPs, though, also ferry third-party traffic between their
> peering points; it would be inappropriate for them to accept traffic
> that an egress rule elsewhere will prevent them from delivering.
Egress rules don't prevent anything from being delivered if the egress is
legitimate.
> This isn't to day that it can't or shouldn't be done, only that
> determining how much filtering should be done, and at which routers,
> may be less simple for multi-homed ISPs than it sounds.
Once again, I'm stressing that end-user network filtering be the
major point of egress filtering, not ISP networks.
ISPs can do fairly easy filtering based on prefixes they transit or
announce, but I agree with the contention that the aggragation of traffic
is too much at those points to not affect performance by filtering in the
transit space. ISP's hosting networks should, of course employ egress
filtering, but in that case, they're acting as a leaf node, not a transit
entity.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
